Hi all,
the german online news from Heise Verlag has an article on the PGP/ADK
vulnerability. In there, they claim that PGP >= v.5 and GnuPG are
affected, only PGP 2.6.x to be secure. This has provoked an intense
discussion on their bulletin board. I think they're wrong ... :-)
What happened?
They refer to http://senderek.de/security/key-experiments.html where Ralf
explains why in his view ADKs are a bad idea. He explains, how ADKs work
in V4 key certificates (which are used by new PGPs and GnuPG).
Then they have taken the following paragraph from Ralf's page:
How to Avoid Version-4-Signatures
But how can you be sure if you have got someone else's public key with
a Version-4-self-signature?
Since DH-keys all have Version-4-self-signatures, you should avoid to
use those for encryption. But detecting V4-RSA-keys is sometimes
difficult. Using PGP553i for Windows V4-RSA-keys do present themselves
as V3-RSA-keys with key-IDs and fingerprints computed in
Version-3-style. Upgrading to PGP651i for Windows shows the same key
with a new V4-style key-ID and with a different new fingerprint but
truncated to the first 16 bytes, so that it looks like a V3-style
fingerprint, which it clearly is not. So if you see 16 byte
fingerprints you cannot be sure that the key does not have a
Version-4-self-signature. To be sure you have to go into byte analysis
of the key packets. Using GnuPG make things worse because all
V4-signatures I have created on RSA-keys were made using this program.
From this last comment they conclude that GnuPG is also affected. This
neglects the fact that GnuPG *ignores* the ADK part.
The only problem is (which Ralf might be aiming at), that a GnuPG user
"Bob" might think "I'm not affected, nothing can happen to me, 'cause
I'm using GnuPG". What in fact could happen is that Bob's generated V4
certificate is being extended by an ADK from the malicious
"Mallory". Mallory fools PGP-user "Alice" into believing that the
extended Bob-certificate is genuine. Alice includes this key into her
keyring and uses it to encrypt messages to Bob. If Mallory intercepts
these messages, he can read them.
BUT: this all depends on PGP using ADKs in the first place and not
checking whether the ADK is signed (that's what the current fuzz is
about). So it's a problem of Alice using a vulnerable version of PGP.
From this to claim "GnuPG is vulnerable" is very wrong, at least in my
view.
So, GnuPG is not "affected"!
Does anyone disagree with this explanation?
Cheers,
Nils
--
Nils Ellmenreich - Fakultaet fuer Math./Informatik - Nils @
http://www.fmi.uni-passau.de/~nils - Univ. Passau - Uni-Passau.DE
--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org
the german online news from Heise Verlag has an article on the PGP/ADK
vulnerability. In there, they claim that PGP >= v.5 and GnuPG are
affected, only PGP 2.6.x to be secure. This has provoked an intense
discussion on their bulletin board. I think they're wrong ... :-)
What happened?
They refer to http://senderek.de/security/key-experiments.html where Ralf
explains why in his view ADKs are a bad idea. He explains, how ADKs work
in V4 key certificates (which are used by new PGPs and GnuPG).
Then they have taken the following paragraph from Ralf's page:
How to Avoid Version-4-Signatures
But how can you be sure if you have got someone else's public key with
a Version-4-self-signature?
Since DH-keys all have Version-4-self-signatures, you should avoid to
use those for encryption. But detecting V4-RSA-keys is sometimes
difficult. Using PGP553i for Windows V4-RSA-keys do present themselves
as V3-RSA-keys with key-IDs and fingerprints computed in
Version-3-style. Upgrading to PGP651i for Windows shows the same key
with a new V4-style key-ID and with a different new fingerprint but
truncated to the first 16 bytes, so that it looks like a V3-style
fingerprint, which it clearly is not. So if you see 16 byte
fingerprints you cannot be sure that the key does not have a
Version-4-self-signature. To be sure you have to go into byte analysis
of the key packets. Using GnuPG make things worse because all
V4-signatures I have created on RSA-keys were made using this program.
From this last comment they conclude that GnuPG is also affected. This
neglects the fact that GnuPG *ignores* the ADK part.
The only problem is (which Ralf might be aiming at), that a GnuPG user
"Bob" might think "I'm not affected, nothing can happen to me, 'cause
I'm using GnuPG". What in fact could happen is that Bob's generated V4
certificate is being extended by an ADK from the malicious
"Mallory". Mallory fools PGP-user "Alice" into believing that the
extended Bob-certificate is genuine. Alice includes this key into her
keyring and uses it to encrypt messages to Bob. If Mallory intercepts
these messages, he can read them.
BUT: this all depends on PGP using ADKs in the first place and not
checking whether the ADK is signed (that's what the current fuzz is
about). So it's a problem of Alice using a vulnerable version of PGP.
From this to claim "GnuPG is vulnerable" is very wrong, at least in my
view.
So, GnuPG is not "affected"!
Does anyone disagree with this explanation?
Cheers,
Nils
--
Nils Ellmenreich - Fakultaet fuer Math./Informatik - Nils @
http://www.fmi.uni-passau.de/~nils - Univ. Passau - Uni-Passau.DE
--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org